Slow cyber progress puts critical infrastructure at risk

WFED's Jared Serbu

Cybersecurity changes being considered by both Congress and the Obama administration would give the federal government more oversight authority over the operators of the nation's critical infrastructure. And a report issued Tuesday finds the nation's grid operators may need some prodding when it comes to securing their systems from cyber attack.

McAfee, a computer security firm, sponsored the report, which researchers at the Center for Strategic and International Studies wrote as a follow on to their critical civilian infrastructure study from 2010. For the report, they interviewed 200 technology executives in the electricity, oil, gas and water sectors.

"What we found is that they are not ready," the authors wrote. "The professionals charged with protecting these systems report that the threat has accelerated - but the response has not. Cyber exploits and attacks are already widespread. Whether it is cyber criminals engaged in theft or extortion, or foreign governments preparing sophisticated exploits like Stuxnet, cyber attackers have targeted critical infrastructure."

Stuxnet, a piece of sophisticated malware that targets certain power control systems, struck in the period between CSIS's first report and the one they released Tuesday. The new report found 40 percent of the firms surveyed by researchers found Stuxnet in their systems. Additionally, 80 percent said they had faced large-scale denial of service attacks and 85 percent reported that their networks had been infiltrated in some way over the past year. By comparison, fewer than half reported similar attacks in the previous year's report.

Stewart Baker, a visiting fellow at CSIS, a former Homeland Security Department assistant secretary, and a co-author of the report, said researchers wanted to know what steps operators had taken to boost their protections in the face of increasing attacks.

"We didn't want to ask them, 'gee, are you doing more about security?' Because everybody says yes," he said. "So we actually came up with a list of 29 technologies…just a grab bag of security technologies. We asked them last year, and we asked them this year which of these technologies they're using. They went from having 50 percent of those security measures deployed to having 51 percent of those measures."

Baker said one possible explanation for the mismatch between the perceived threat and the response to it is that private companies don't feel equipped to defend themselves in a cyber war alone.

"If you're a private company and you're faced with the prospect of an attack like Stuxnet, there's a feeling of utter helplessness that descends on you," he said. "What do you do about zero-day attacks, multiple zero-day attacks, thumb drive transport, people who are using the very data system you rely on sending out orders and then getting back false reports? You kind of say, 'Geez, General Motors doesn't have its own air defenses against nuclear attack. How am I supposed to solve this problem?' Unfortunately, the response to that sense of helplessness is utter denial."

Michael Peters, the cybersecurity advisor at the Federal Energy Regulatory Commission (FERC), said one problem is that even the energy control systems that are being produced today are not being engineered with security in mind, even as grid operators prepare to roll out a new generation of "smart grid" technologies.

And Peters, who said his comments reflected only his own opinions and not those of FERC, said bolting security onto those systems was inherently difficult.

"These things are very different from corporate IT," he said. "We're used to our IT systems rolling over every 18 months. In the critical infrastructures, we have equipment out there that has 40 or 50 year lifetimes. This stuff doesn't roll over. A lot of the defenses that people might be aware of for corporate networks can't just be slapped onto a control system, or else you might cause more harm than leaving them vulnerable."
Peters said infrastructure operators need to take a top-to-bottom look at their own systems and decide precisely what areas are in need of security attention.

"I recommend people have their best engineers and control system people look at their systems, and figure out, 'how can we cause the most harm to this company and our customers?' Because these experienced people know where the skeletons are buried," he said. "They look at those things and point out those features and they fix them. And if everybody looks at their own selves and asks how they can keep their company profitable and keep providing the products and services that these control systems are designed to do, then everybody writ large will be better off. Right now, people are wondering how they fit into the bigger picture, when in reality I want them to protect themselves. If everybody protects themselves, then we just have to look at the seams to add some additional protections."